Identity-based policy examples for Direct Connect
By default, users and roles don't have permission to create or modify Direct Connect resources. They also can't perform tasks by using the Amazon Web Services Management Console, Amazon Command Line Interface (Amazon CLI), or Amazon API. To grant users permission to perform actions on the resources that they need, an IAM administrator can create IAM policies. The administrator can then add the IAM policies to roles, and users can assume the roles.
To learn how to create an IAM identity-based policy by using these example JSON policy documents, see Create IAM policies (console) in the IAM User Guide.
For details about actions and resource types defined by Direct Connect, including the format of the ARNs for each of the resource types, see Actions, Resources, and Condition Keys for Direct Connect in the Service Authorization Reference.
Topics
Policy best practices
Identity-based policies determine whether someone can create, access, or delete Direct Connect resources in your account. These actions can incur costs for your Amazon Web Services account. When you create or edit identity-based policies, follow these guidelines and recommendations:
-
Get started with Amazon managed policies and move toward least-privilege permissions – To get started granting permissions to your users and workloads, use the Amazon managed policies that grant permissions for many common use cases. They are available in your Amazon Web Services account. We recommend that you reduce permissions further by defining Amazon customer managed policies that are specific to your use cases. For more information, see Amazon managed policies or Amazon managed policies for job functions in the IAM User Guide.
-
Apply least-privilege permissions – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as least-privilege permissions. For more information about using IAM to apply permissions, see Policies and permissions in IAM in the IAM User Guide.
-
Use conditions in IAM policies to further restrict access – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific Amazon Web Services service, such as Amazon CloudFormation. For more information, see IAM JSON policy elements: Condition in the IAM User Guide.
-
Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see Validate policies with IAM Access Analyzer in the IAM User Guide.
-
Require multi-factor authentication (MFA) – If you have a scenario that requires IAM users or a root user in your Amazon Web Services account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see Secure API access with MFA in the IAM User Guide.
For more information about best practices in IAM, see Security best practices in IAM in the IAM User Guide.
Direct Connect actions, resources, and conditions
With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. Direct Connect supports specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see IAM JSON Policy Elements Reference in the IAM User Guide.
Actions
Administrators can use Amazon JSON policies to specify who has access to what. That is, which principal can perform actions on what resources, and under what conditions.
The Action
element of a JSON policy describes the
actions that you can use to allow or deny access in a policy. Policy
actions usually have the same name as the associated Amazon API operation. There are some exceptions, such as permission-only
actions that don't have a matching API operation. There are also some operations that require multiple actions in a policy.
These additional actions are called dependent actions.
Include actions in a policy to grant permissions to perform the associated operation.
Policy actions in Direct Connect use the following prefix before the action:
directconnect:
. For example, to grant someone permission to run an
Amazon EC2 instance with the Amazon EC2 DescribeVpnGateways
API operation, you
include the ec2:DescribeVpnGateways
action in their policy. Policy
statements must include either an Action
or NotAction
element. Direct Connect defines its own set of actions that describe tasks that you can
perform with this service.
The following example policy grants read access to Amazon Direct Connect.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "directconnect:Describe*", "ec2:DescribeVpnGateways" ], "Resource": "*" } ] }
The following example policy grants full access to Amazon Direct Connect.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "directconnect:*", "ec2:DescribeVpnGateways" ], "Resource": "*" } ] }
To see a list of Direct Connect actions, see Actions Defined by Direct Connect in the IAM User Guide.
Resources
Administrators can use Amazon JSON policies to specify who has access to what. That is, which principal can perform actions on what resources, and under what conditions.
The Resource
JSON policy element specifies the object or objects to which the action applies. Statements must include either a
Resource
or a NotResource
element. As a best practice, specify a resource using its Amazon Resource Name (ARN). You can do this for actions that support a
specific resource type, known as resource-level permissions.
For actions that don't support resource-level permissions, such as listing operations, use a wildcard (*) to indicate that the statement applies to all resources.
"Resource": "*"
Direct Connect uses the following ARNs:
Resource Type | ARN |
---|---|
dxcon | arn:${Partition}:directconnect:${Region}:${Account}:dxcon/${ConnectionId} |
dxlag |
arn:${Partition}:directconnect:${Region}:${Account}:dxlag/${LagId} |
dx-vif | arn:${Partition}:directconnect:${Region}:${Account}:dxvif/${VirtualInterfaceId} |
dx-gateway | arn:${Partition}:directconnect::${Account}:dx-gateway/${DirectConnectGatewayId} |
For more information about the format of ARNs, see Amazon Resource Names (ARNs) and Amazon Service Namespaces
For example, to specify the dxcon-11aa22bb
interface in your
statement, use the following ARN:
"Resource": "arn:aws:directconnect:us-east-1:123456789012:dxcon/dxcon-11aa22bb
To specify all virtual interfaces that belong to a specific account, use the wildcard (*):
"Resource": "arn:aws:directconnect:*:*:dxvif/*"
Some Direct Connect actions, such as those for creating resources, cannot be performed on a specific resource. In those cases, you must use the wildcard (*).
"Resource": "*"
To see a list of Direct Connect resource types and their ARNs, see Resource Types Defined by Amazon Direct Connect in the IAM User Guide. To learn with which actions you can specify the ARN of each resource, see SERVICE-ACTIONS-URL;.
Condition keys
Administrators can use Amazon JSON policies to specify who has access to what. That is, which principal can perform actions on what resources, and under what conditions.
The Condition
element (or Condition
block) lets you specify conditions in which a
statement is in effect. The Condition
element is optional. You can create
conditional expressions that use condition
operators, such as equals or less than, to match the condition in the
policy with values in the request.
If you specify multiple Condition
elements in a statement, or
multiple keys in a single Condition
element, Amazon evaluates them using
a logical AND
operation. If you specify multiple values for a single
condition key, Amazon evaluates the condition using a logical OR
operation. All of the conditions must be met before the statement's permissions are
granted.
You can also use placeholder variables when you specify conditions. For example, you can grant an IAM user permission to access a resource only if it is tagged with their IAM user name. For more information, see IAM policy elements: variables and tags in the IAM User Guide.
Amazon supports global condition keys and service-specific condition keys. To see all Amazon global condition keys, see Amazon global condition context keys in the IAM User Guide.
Direct Connect defines its own set of condition keys and also supports using some global condition keys. To see all Amazon global condition keys, see Amazon Global Condition Context Keys in the IAM User Guide.
You can use condition keys with the tag resource. For more information, see Example: Restricting Access to a Specific Region.
To see a list of Direct Connect condition keys, see Condition Keys for Direct Connect in the IAM User Guide. To learn with which actions and resources you can use a condition key, see SERVICE-ACTIONS-URL;.
Using the Direct Connect console
To access the Direct Connect console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the Direct Connect resources in your Amazon account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (s or roles) with that policy.
To ensure that those entities can still use the Direct Connect console, also attach the following Amazon managed policy to the entities. For more information, see Adding Permissions to a User in the IAM User Guide:
directconnect
You don't need to allow minimum console permissions for users that are making calls only to the Amazon CLI or the Amazon API. Instead, allow access to only the actions that match the API operation that you're trying to perform.
Allow users to view their own permissions
This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the Amazon CLI or Amazon API.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": ["arn:aws-cn:iam::*:user/${aws:username}"] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] }
Read-only access to Amazon Direct Connect
The following example policy grants read access to Amazon Direct Connect.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "directconnect:Describe*", "ec2:DescribeVpnGateways" ], "Resource": "*" } ] }
Full access to Amazon Direct Connect
The following example policy grants full access to Amazon Direct Connect.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "directconnect:*", "ec2:DescribeVpnGateways" ], "Resource": "*" } ] }